Cybercriminals Revive QakBot Tactics: The Rise of DarkGate and PikaBot

In the constantly evolving world of cybersecurity threats, cybercriminals are revitalizing previous techniques by introducing the new malware strains DarkGate, PikaBot, and QakBot. Recent phishing campaigns have been observed distributing DarkGate and PikaBot malware, reminiscent of tactics historically associated with the notorious QakBot trojan. Further investigation has revealed a troubling pattern wherein attackers initiate infections through compromised email threads and utilize distinct URL patterns to limit user accessibility. These deceptive tactics aim to breach systems, resulting in unauthorized access to confidential data.

Experts from Cofense report that the malware families used in these nefarious activities align with those typically utilized by QakBot affiliates. Such unsettling news comes even though Operation Duck Hunt dismantled QakBot in the prior month. Meanwhile, Zscaler’s analysis has identified striking similarities between PikaBot and its predecessor in terms of distribution methods and behaviors.

Delving deeper into the capabilities of these malware variants, DarkGate emerges as a particularly troublesome threat. It boasts advanced evasion techniques, keystroke logging, PowerShell execution, and even remote control over infected systems. A closer look at the techniques employed by DarkGate reveals the malware’s sophistication, including its covert operational abilities and proficiency at evading antivirus detection.

The ingenuity of these attacks does not end there. The Cofense analysis highlights that a widespread campaign targets various sectors with a malicious URL within hijacked email threads. This URL leads unsuspecting victims to a ZIP archive containing a JavaScript dropper. From there, a secondary URL is tasked to download and execute the DarkGate or PikaBot malware. Variations include Excel add-in (XLL) files deploying the final payloads.

Collateral damage from a successful infection could be devastating for an individual or organization. DarkGate and PikaBot can install crypto mining software, reconnaissance tools, and ransomware, to name a few. These malware strains are attractive to cybercriminals because they are capable of delivering additional payloads to compromised hosts. This adaptability ensures their longevity and effectiveness in the malicious toolkit of cyber threats.

The resilience and mutation of cyber threats like QakBot into new forms such as DarkGate and PikaBot underline the necessity of robust security measures. Building awareness and educating employees on the risks of phishing is also vital. Implementing multi-factor authentication and staying informed about cybersecurity trends are proactive steps towards countering these sophisticated attacks. Protecting sensitive information is no longer an option, but a mandatory defense in this digital age of persistent and advanced cyber threats.